On Tuesday, August 11th, 2009, Microsoft released three security updates for Office Web Components (OWC) to address four security vulnerabilities. Office Web Components are Microsoft COM controls that allow users to publish spreadsheets, charts, and databases to an intranet and edit published documents within a Web browser. Office Web Components technology has been deprecated. This means that only security fixes are being made to all versions of OWC, and no future versions of OWC will be produced. The security updates apply to Microsoft Office 2000, Office XP, and Office 2003 Web Components, and are described in security bulletin MS09-043 (http://www.microsoft.com/technet/security/bulletin/MS09-043.mspx).

The updates address the issue discussed in security advisory 973472 (http://support.microsoft.com/kb/973472). The security updates resolve several privately reported vulnerabilities in Microsoft Office Web Components that could allow remote code execution if a user viewed a specially crafted Web page. An attacker who successfully exploited these vulnerabilities could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

For more detailed information, see Microsoft Security Updates for August 2009 (http://www.microsoft.com/protect/computer/updates/bulletins/200908.mspx) for home users and Microsoft Security Bulletin Summary for August 2009 (http://www.microsoft.com/technet/security/bulletin/ms09-aug.mspx) for IT professionals.

There are three versions of Office Web Components, and each version was also released as part of the next version of Office. For example, Office 2000 Web Components released both as part of Office 2000 and Office XP. For more information about Office Web Components, see the Office Sustained Engineering team’s blog Office Web Components Lifecycle (http://blogs.technet.com/office_sustained_engineering/archive/2009/06/30/office-web-components-lifecycle.aspx).

The following table maps the different versions of Office Web Components to the updates needed for those versions.

OWC Version

From Product

Patch Needed

2000

Office XP

KB947320

XP (2002)

Office XP, web download

KB947320

XP (2002)

Office 2003

KB947319

2003

Office 2003, web download (versions 1-3)

KB947319

2003

Web download (version 4), Project Server 2007*, SQL Server 2008**

KB947318

 

*Project Server 2007 includes the installation package for the Office 2003 Web Components so that clients that connect to the server can automatically install the Office Web Components. Project Server installations are not vulnerable to the security vulnerability and do not need to install any updates.

**SQL Server 2008 includes the installation package for the Office 2003 Web Components for use in SQL Server client-side functionality. Most server installations will not contain Office Web Components and will not need to be updated.

Note: Office 2000 is no longer in support, as noted in our earlier blog Microsoft Office 2000 extended support ends in July, 2009 (http://blogs.technet.com/office_resource_kit/archive/2009/05/20/microsoft-office-2000-extended-support-ends-in-july-2009.aspx).

Known issues and additional information

For additional information and for known issues related to this security update, see KB MS09-043: Vulnerabilities in Microsoft Office Web Components could allow remote code execution (http://support.microsoft.com/kb/957638).

Outlook Junk email filter updates

Microsoft also released the following updates for the Outlook Junk Email Filter for Outlook 2003 and Outlook 2007:

·         Update for Microsoft Office Outlook 2003 Junk Email Filter (KB972688) (http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=44f8ad34-969a-4402-aa83-8a78941de573)

·         Update for Microsoft Office Outlook 2007 Junk Email Filter (KB972691) (http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=2b832213-f733-4e90-85ea-a086c671f891)